Re: [lisp] id locator privacy presentation
Dino Farinacci <dino@lispers.net> Fri, 29 March 2019 10:50 UTC
Return-Path: <dino@lispers.net>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 621F4120391 for <lisp@ietfa.amsl.com>; Fri, 29 Mar 2019 03:50:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lispers-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g0XGxekNgr1d for <lisp@ietfa.amsl.com>; Fri, 29 Mar 2019 03:50:38 -0700 (PDT)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F6F012026A for <lisp@ietf.org>; Fri, 29 Mar 2019 03:50:36 -0700 (PDT)
Received: by mail-wm1-x329.google.com with SMTP id c1so868080wml.4 for <lisp@ietf.org>; Fri, 29 Mar 2019 03:50:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lispers-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=VFtZHLXzVca2JPlQhAHu96ppQtrOrO/+Yg6cYA0byB8=; b=dORXDbnp5i0z3p9t4jW368Ixf0qRrDmbKzHTu/gVjL6b5+MKAr3GnRS4miva9dWEXT 5JD8zAyA/1Qydy6aI0XSeXOl0ATUkFaecyu7FSQlwWHrt96W5VAT3wIW3xaig7bo44aX z6x7G2/CLgjr2SLIgaxT0AtBf4w0k71qNHT+MkmL+ohClzMr0/5n4aA1BgOE1YuCqy4S 3ZHrAlJaXQByeIr1loksbmdbc7bUqGWkL8cp1fSgU94qgRV6N2lE+Nviu/aFsIcx0+Y2 451pd/npBvs6785Fz6q8nKs6pbeyeJST4VroU417z639oNyRKMfI1nlPOIBw55xLL7Db mwlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=VFtZHLXzVca2JPlQhAHu96ppQtrOrO/+Yg6cYA0byB8=; b=gnwPNwIrskUZ8ejDh6IEFlIpxs2A8WVsiSYdkeCswIPYEkwuDnh6xOOLIt6AQONTug ivIjSTVukEvL8Us58CBsTXoIVMsx/GVy5BDp371ighkA42XxAdD1i+Q0u+h02uVDexSg r6q5bb82hP7nkh22sKYEPFfqaFpmgTGRiEJPokAB5DZVJZr9rZd24npv2pxy0Ms8x/5s +YYjdmUxqX3jK4gUZdCAOIkHwE6b/ylm1nVntCtLfwqLETyxHkO0Y1/Cz17Z60joV2YY gVjlLT8EDzHd4ZaNNHG2bH8LNOotDFJueN/Ps6+s6yc10cptj2yHdIsTVmeVXB/MxTXk WNcQ==
X-Gm-Message-State: APjAAAWTGxcyTmLxzTphAOnWFxuz+CHoaJdw2zLxSWm9wcpz1XGztHef +U/g7VkOpSOUC896LsSVBczhwsIdxvc=
X-Google-Smtp-Source: APXvYqz5cEYPqn0Gro1p3WCFk5JjiwS3ONZ9qgt3YOCvFyhc62vvby2zWfDiTXoT+IYEgDsHuRacwQ==
X-Received: by 2002:a1c:eb17:: with SMTP id j23mr3058034wmh.86.1553856634807; Fri, 29 Mar 2019 03:50:34 -0700 (PDT)
Received: from ?IPv6:2001:67c:1232:144:2495:8adb:f427:367c? ([2001:67c:1232:144:2495:8adb:f427:367c]) by smtp.gmail.com with ESMTPSA id z20sm1776095wma.9.2019.03.29.03.50.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 29 Mar 2019 03:50:33 -0700 (PDT)
From: Dino Farinacci <dino@lispers.net>
Message-Id: <74808158-5D98-4185-887E-3097ED0EEF52@lispers.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6EC1795E-F67C-4598-8C86-50140CCC905D"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Fri, 29 Mar 2019 11:50:32 +0100
In-Reply-To: <e07934db-da74-fc44-ef0f-6ceaaba6a887@acm.org>
Cc: "lisp@ietf.org list" <lisp@ietf.org>
To: Erik Nordmark <nordmark@acm.org>
References: <e07934db-da74-fc44-ef0f-6ceaaba6a887@acm.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/wbxyzeat--tABrv2NJltFlwNaWM>
Subject: Re: [lisp] id locator privacy presentation
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2019 10:50:51 -0000
Here are my comments on your slides with respect to what draft-ietf-lisp-eid-anonymity is addressing. The draft indicates more than one random or crypto EID can be used. Random EIDs may not survive moves but it is a function of how long you want them to be active. If you do not want to shut down transport connections during moves, you must keep using the EID. And for crypto-EIDs that will usually have a longer lifetime than a random-number generated EID, will have the mobility benefits with session survivability. Crypto-EIDs are longer lived just because you want to contain the cost of key-pair generation. Obviously LISP-proper has long-lived EIDs by default. So the original EID definition does focus on long-lived EIDs. But we want to go the other way and not associate an EID to a human. But its a moving scale from one side to the other. In terms of RLOC hiding, it is a hard problem since RLOCs have to appear in outer unencrypted IP headers. But if a service provider can allocate a set of RLOCs to an interface, then a LISP capable system can change the use of RLOCs while rotating ephemeral-EIDs. So the 2-tuple is constantly changing. Also, when lisp-crypto is used no one can see the ephemeral-EID in the packet. All an observer can see is a rotated RLOC and can only associate it with a service-provider. If we need more privacy than that, I suggest service providers allocating addresses that don’t have geographical relationship and certainly don’t DNS reverse name them. ;-) The mapping system can authenticate and authorized lookup users. So not anyone can get the RLOC of an EID. You can only allow all EIDs in an VPN instance-ID to get access and even a subset if you white-list. An oberver only sees LISP-crypto packet RLOCs and not EIDs. So it doesn’t know who the end-system is just that “its a customer of Comcast” perhaps. I don’t know what a fixed-point anchor locator means. But in LISP, a provider-assigned RLOC typically doesn’t change. But sitting behind an IPv4 NAT it can. Meaning the address can change but most likely (and often) the (address, port) pair changes due to port changing on NAT state timeout. Note when RTRs are used as anchor points, remote ITRs that encapsulate only know to use the RLOC of the RTR and doesn’t know the RLOC of the EID. In my implementation, only the RTR lookup request for the EID returns the RLOC of the EID, but others only see the RLOC of the RTR. So after reading the slide-set and before re-reading your Internet-Draft, I think LISP has all the features for good privacy. I’m not going to claim perfect privacy because you never can but good enough. Please comment. Thanks, Dino > On Mar 29, 2019, at 11:06 AM, Erik Nordmark <nordmark@acm.org> wrote: > > > Dino, > > You don't have to wait until the next meeting for a presentation. > > There is the draft: > https://tools.ietf.org/html/draft-nordmark-id-loc-privacy-00 > > The slides: > https://datatracker.ietf.org/doc/slides-102-intarea-privacy-issues-in-idlocator-separation-systems/ > > The video: starts at 1:34:20 in > https://www.youtube.com/watch?v=PlC0xdk38tc > > It probably makes sense to refer to that in the anonymity draft. > > Regards, > Erik > > _______________________________________________ > lisp mailing list > lisp@ietf.org > https://www.ietf.org/mailman/listinfo/lisp
- [lisp] id locator privacy presentation Erik Nordmark
- Re: [lisp] id locator privacy presentation Dino Farinacci
- Re: [lisp] id locator privacy presentation Dino Farinacci